On Thu, Sep 11, 2025 at 09:09:36AM +0800, Yumei Huang wrote: > There is an issue reported by Volker Diels-Grabsch and Boleyn Su. > A segmentation fault occurs when executing the following command: > > (sleep 0.1; ssh -p 22000 127.0.0.1) & passt -f -t 22000:22 > > It's caused by commit 78da088f7bab ("tcp: unify payload and flags > l2 frames array"). Fix it by storing the owner connections of flags > frames into tcp_frame_conns[] array. > > Reported-by: Volker Diels-Grabsch > Reported-by: Boleyn Su > Suggested-by: David Gibson > Fixes: 78da088f7bab ("tcp: unify payload and flags l2 frames array") > Signed-off-by: Yumei Huang Reviewed-by: David Gibson > --- > tcp_buf.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/tcp_buf.c b/tcp_buf.c > index bc898de..d63c18d 100644 > --- a/tcp_buf.c > +++ b/tcp_buf.c > @@ -209,13 +209,14 @@ int tcp_buf_send_flag(const struct ctx *c, struct tcp_tap_conn *conn, int flags) > if (ret <= 0) > return ret; > > - tcp_payload_used++; > + tcp_frame_conns[tcp_payload_used++] = conn; > l4len = optlen + sizeof(struct tcphdr); > iov[TCP_IOV_PAYLOAD].iov_len = l4len; > tcp_l2_buf_fill_headers(conn, iov, NULL, seq, false); > > if (flags & DUP_ACK) { > - struct iovec *dup_iov = tcp_l2_iov[tcp_payload_used++]; > + struct iovec *dup_iov = tcp_l2_iov[tcp_payload_used]; > + tcp_frame_conns[tcp_payload_used++] = conn; > > memcpy(dup_iov[TCP_IOV_TAP].iov_base, iov[TCP_IOV_TAP].iov_base, > iov[TCP_IOV_TAP].iov_len); > -- > 2.47.0 > -- David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson